At least one other site is using the same HTTPS binding

“At least one other site is using the same HTTPS binding …..”  is a prompt that every Windows Server IIS administrator has come across at some point.  It arises when trying to change or update an SSL certificate on Windows server IIS platform where there are multiple websites and potentially multiple certificates.

Multiple Sites Using Same IP and SSL

Multiple sites sharing an IP address use a process of host-header recognition in order to accept the in-bound connection. Where this is on port 80 (http) there is no issue.

However, with port 443, the IP address and port number are also bound to a certificate and changing one site certificate will impact all the other sites on the same IP address and port combination. Hence the following Alert (error) message is displayed.

IIS SSL Multiple Sites Alert
IIS SSL Multiple Sites Alert

Accepting or rejecting really depends on your server and what sites and certificates are actually in use. However, this may impact on the other sites and my past experience has been that other sites can be left in an unstable state either without a binding, a certificate, or a mix-up on which certificate.

Change SSL Certificate for Multiple Sites

Use the following steps to prepare manual change at the command line in order to avoid the above error message and address all sites using the same IP address : port and certificate at the same time.

All the detailed information has been sanitised to use dummy data, you will need to substitute the relevant information for your certificates and server.

First examine the certificates in use opening a command prompt – this is all read activity so Run as Administrator is not required, yet.

certutil -store My

This will display lists of certificates and applications like the following. I selected the 2 that I was looking for as follows:

the old certificate – based on NotBeforeDate – you need the highlighted hash from each certificate

================ Certificate 7 ================
Serial Number: 1234567890abcdef1234567890abcdef1234
Issuer: CN=AlphaSSL CA – G2, O=AlphaSSL
NotBefore: 01/01/2014 11:27 AM
NotAfter: 31/12/2016 11:27 AM
Subject: CN=*.yourdomain.tld, OU=Domain Control Validated
Non-root Certificate
Template:
Cert Hash(sha1): 12 34 56 78 90 ab cd ef 12 34 56 78 90 ab cd ef 12 34 56 78
Key Container = 12345a8277cd156abcd09d20dcba5c31_g3239vv5-8181-1234-b6ba-bbbb
78ccd34
Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test FAILED
CertUtil: -store command completed successfully.

and the new certificate – based on NotBeforeDate

================ Certificate 4 ================
Serial Number: 67890abcdef12341234567890abcdef12345
Issuer: CN=AlphaSSL CA – SHA256 – G2, O=GlobalSign nv-sa, C=BE
NotBefore: 01/01/2015 9:02 AM
NotAfter: 31/12/2016 11:27 AM
Subject: CN=*.yourdomain.tld, OU=Domain Control Validated
Non-root Certificate
Template:
Cert Hash(sha1): 78 90 ab cd ef 12 34 56 78 90 ab cd ef 12 34 56 78 12 34 56
Key Container = 1234abcd54d7161def4863d4d6b96633_f3239aa5-8080-1234-b6ba-abcd
78ccd34
Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test FAILED

Next, identify the ip address that is in use and, assuming that standard https is being used, port 443. This could be done by checking within IIS first to check which common IP address is being used.

netsh http show sslcert

Which will show all the ssl certificate bindings, or if you know which ipaddress, then be selective

netsh http show sslcert ipport=223.27.11.71:443

Will show the results like:

SSL Certificate bindings:
————————-IP:port                 : 223.27.11.71:443
Certificate Hash        : 1234567890abcdef1234567890abcdef12345678
Application ID          : {34567812-3456-7890-abcd-ef123456789d}
Certificate Store Name  : MY
Verify Client Certificate Revocation    : Enabled
Verify Revocation Using Cached Client Certificate Only    : Disabled
Usage Check    : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout   : 0
Ctl Identifier          : (null)
Ctl Store Name          : (null)
DS Mapper Usage    : Disabled
Negotiate Client Certificate    : Disabled

The application ID is what is needed from the above but check that the correct certificate hash (the old one) is associated with this binding.

Now select all the relevant information from the results as shown

Old certificate hash (with spaces removed)

1234567890abcdef1234567890abcdef12345678

New certificate hash (with spaces removed)

7890abcdef1234567890abcdef12345678123456

and the AppID

{34567812-3456-7890-abcd-ef123456789d}

The following two steps will need a new elevated command window selected with ‘Run as Administrator’

Delete old binding

netsh http delete sslcert ipport=223.27.11.71:443

Then add new using hash and appid

netsh http add sslcert ipport=223.27.11.71:443 certhash=7890abcdef1234567890abcdef12345678123456 appid={34567812-3456-7890-abcd-ef123456789d}

which should result in

SSL Certificate successfully added

And finally if you want to check that it has been applied

netsh http show sslcert | findstr /R "7890abcdef1234567890abcdef12345678123456"

or to check that the old certificate hash is not still in use on another ipaddress:port binding use the above with the old certificate hash.

 

Reference: http://serverfault.com/questions/610841/replace-wildcard-certificate-on-multiple-sites-at-once-using-command-line-on-i

Leave a Reply

Your email address will not be published. Required fields are marked *